Barrett Brown was not convicted merely for linking to data on the web. He was convicted for three separate offenses:<p>1. Acting as a go-between for (presumably Jeremy Hammond) the Stratfor hacker and Stratfor itself, Brown misled Stratfor in order to throw the scent off Hammond. Having intimate knowledge of a crime doesn't make one automatically liable for that crime, but does put them in a precarious legal position if they do anything to assist the perpetrators.<p>2. During the execution of a search warrant, Brown helped hide a laptop. Early in the trial, in advancing the legal theory that hiding evidence is permissible so long as that evidence remains theoretically findable in the scope of the search warrant, Brown admitted to doing exactly that, and that's a crime for the same reason that it's a crime when big companies delete email after being subpoenaed.<p>3. Brown threatened a named FBI agent and that agent's children on Twitter and in Youtube videos.<p>The offense tied to Brown's "linking" was dismissed.<p>Brown's sentence was unjust, but it wasn't unjust because he was wrongly convicted by a trigger-happy DOJ; rather, he got an outlandish sentence because he managed to stipulate a huge dollar figure for the economic damage caused by the Stratfor hack, which he became a party to when he helped Hammond.
I don't understand exactly why it's necessary to release usernames along with the passwords, or why it's ethical to do so. Stripping the domain portion of email addresses does absolutely nothing when you can find the real email, and other accounts of the victim, by Googling the unique part of the email address.<p>How does tying each password to its corresponding username help with password research, and does the value gained outweigh the cost of someone using this list for malicious purposes?<p>I'm not saying this should be illegal, but I'm struggling to understand the intent here.
There is an annual 'Passwords' conference [1], which I attended in 2012, and was blown away by quite how much researchers are able to do with these password lists.<p>Unfortunately, I was equally impressed with what attackers are able to do with them as well. An important point is that attackers tend to have better lists, because they are the ones stealing and cracking them, and these lists make them increasingly better at cracking passwords. Defenders use the lists for all sorts of analysis on how exactly users pick passwords.<p>For example, "complex password policies" have become increasingly popular. But do they actually increase the entropy of the chosen passwords? Surprisingly little, since users will "defeat" the policy by applying easy to guess "munging rules". Humans being human and such. The thieves have the lists, and learn to apply the munging rules and defeat the policies. Researchers need these lists so they can discover the same weakness and try to react.<p>More recent research looks at things like how effective the password strength indicators are at actually helping users choose stronger passwords. We also learn about how users choose different strength passwords based on the sites they visit and such. This is absolutely fertile ground for research which can improve how we perform authentication.<p>Yet another good use of the lists is in defending against online attacks. E.g. Failed attempts that follow the general probability distribution of the lists are easier to identify as bots.<p>[1] - I think all the talks are posted, although I'm not sure there's a central archive, each conference is identified as Passwords^[Year], e.g. Passwords^14 <a href="https://passwordscon.org/" rel="nofollow">https://passwordscon.org/</a>
Forgive me for doing so, but allow me to ask some possibly ignorant questions and perhaps play the devil's advocate for a moment. What about this release will help? What are the compelling research problems in the space?<p>We know users pick bad passwords. It seems to me the most compelling "problem" is hardly a research question -- isn't it about finding ways to encourage users pick strong passwords, not share them between sites, and not put them on sticky notes on their monitors.<p>Ok, putting my charitable hat again... My best guess is that researchers would like some idea about how long it takes to crack some percentage of accounts; e.g. with rainbow tables or other techniques?<p>The author mentioned "Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone." What directions might a researcher take this?
When I first got on the Internet in 1994 I used the same password for everything for the next decade before I became security conscious (now I have a random, strong, unique password for every service).<p>Anyways, that password is not in this list. I have found it in other password dumps before. So, I don't know what to think.
From the law quoted in the article, wouldn't it be illegal to simply make a course about computer security?<p>The teacher willfully (and knowingly) teaches the student about "possible means of access to a protected computer."<p>Note: According to <a href="http://www.law.cornell.edu/uscode/text/18/1029" rel="nofollow">http://www.law.cornell.edu/uscode/text/18/1029</a> teaching is defined as trafficking information ("the term “traffic” means transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of; ")
Even if this release has no implications for security, I think it may raise legitimate concerns for users' privacy. No doubt most users expect that their passwords will be known only to themselves. Many of the usernames contain real names, and many more could probably be traced to them. Ian Watkins was found to have "gloated" about his crimes in his password. With time and attention, I wonder whether such "dark secrets" could be found in this list.
Went ahead and performed a Levenshtein distance analysis from this list, and made a graph of it. Number 8 seems to be the sweet 'secure' spot that most people latch onto, though the distribution curve is interesting - or very human-like: <a href="http://pp19dd.com/2015/02/levenshtein-distance-10-million-usernames-passwords/" rel="nofollow">http://pp19dd.com/2015/02/levenshtein-distance-10-million-us...</a>
This is great, but if you use a password manager, it's very difficult to determine which, if any, of your accounts would be compromised. For myself, this would just be doing a dump and looping a few greps. But for family and friends, does anyone have any ideas for a less technical audience?
<a href="http://security.stackexchange.com/questions/46625/is-it-legal-to-publish-viticims-password-and-email" rel="nofollow">http://security.stackexchange.com/questions/46625/is-it-lega...</a><p>I thought of exactly the same. I was motivated by the password strength meter out there. How can you actually tell a password is strong or not or whether a password is known to attacker or not if you can ask (I was thinking along the line of private information retrieval) privately and get a probability rather than a yes/no based on all the known stolen credential out in the Internet (there are many Gbs files you can download)...
Just a thought here. As far as I can tell, many bona fide security researchers seem to be independent consultants. Would they be less at risk of prosecution if they were handling sensitive data such as user names and passwords under the coverage of universities and/or similar accredited institutions operating under protocols as to who can and cannot access the data?<p>It would probably be more security theatre than actual security, but I'd imagine that it would at least keep the FBI happy.
I wish there was an origin with these. A username/password combo I use on a ton of sites I don't care about is on here. It would be nice to know which is one leaked it.
What sorts of analyses are you guys planning? Maybe:
-clustering of passwords. are aspects of the username biased towards certain clusters?
-distribution of alphanumeric characters at each position of a password (e.g. 1 is a disproportionately common final character)
-differences in password strength between usernames with male and female names
To save a moment of time, here's a quick check that won't save the password string to your command history:<p>read -e -s -p "Password: " password && grep -i $password 10-million-combos.txt | wc -l && password=""
Woah you are REALLY optimistic about law enforcement agencies wanting to focus on real criminals.<p>But Barrett Brown is not the first or only example.<p>Aaron Swartz is the only example I need to understand what to expect from the various US law enforcement agencies.
Could someone describe the dataset for me? Is it just two columns with one for usernames and another for passwords? Or is there any other info included? I'm on mobile right now or else I'd grab it myself.
Way to go buddy! This research is indeed necessary and releasing such a dataset will be beneficial. Maybe it will also bring light to how outdated password based authentication really is.
If anyone wants to check their username, I have a searchable DB up now. <a href="https://levlaz.org/passwords" rel="nofollow">https://levlaz.org/passwords</a>
It seems very useful for research and also practical uses, like how about a REST API with this dump? get <password> will not only return true if it exists but how common and how weak it is, or will return a false for unique. Is there such a service out there?
>Many companies, such as Facebook, also monitor public data dumps to identify user accounts in their user base that may have been compromised and proactively notify users.<p>That is smart!
I could be relieved that my favourite password isn't in there but it's already been leaked by stupid, stupid engineers working for Riot (League of Legends video game) who stored it in plaintext and a hacker got it. It is a good practice to regularly change passwords anyways: If you're worried that your password is in there, you're doing it wrong in the first place.
Everyone knows the whole email/password concept is broken. I believe that overall OAUTH is needed, but it needs a much stronger consumer facing view.
It was a mistake to release this today.<p>Everyone knows that legally questionable moves should always be made on a friday. That allows everyone in government to cool down for a couple days. By the time the weekend is over all the news outlets have moved on to whatever war just started up. You don't want some hothead prosecutor tweeting out a threat, forcing himself to follow through later in the week. Nobody picks a fight when 15 minutes away from a weekend.<p>Watch the NSA/CIA/MIB admissions. They always stage their spying/torturing me culpas on friday afternoons.